compute.instances.setServiceAccount
Event
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
Security Context
- Swapping the service account on a Compute Engine instance immediately changes the credentials available via the metadata server, granting the instance — and any attacker on it — the permissions of the new service account.
- This is a direct privilege escalation technique where an adversary replaces a low-privilege service account with a high-privilege one to access resources beyond their original scope.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.